JP5506705B2 - Secret matching system, secret matching device, secret matching method, secret matching program - Google Patents

Description

  The present invention relates to a cryptographic application technique, and more particularly to a secret matching system, a secret matching apparatus, a secret matching method, and a secret matching program that perform function calculation without revealing input data.

  As a method of obtaining a specific calculation result without restoring the encrypted numerical value, for example, there is a method called secret calculation in Non-Patent Document 1. In the method of Non-Patent Document 1, encryption is performed such that numerical fragments are distributed to three secret computing devices, and addition / subtraction, constant sum, multiplication, constant multiplication, logical operation (negative, logical product) are performed without restoring the numerical values. , Logical sum, exclusive logical sum), and data format conversion (integer, binary number) can be held in a state of being distributed to the three secret computing devices, that is, encrypted. Non-Patent Document 2 is characterized in that the correspondence between values before and after sorting is calculated so that no one knows, and a plurality of encrypted data are sorted by values calculated from plaintext. A secret sorting method for calculating the resulting ciphertext has been proposed. In Non-Patent Document 2, an arbitrary comparison sort such as a quick sort is realized on a secret calculation without increasing the number of comparisons.

Koji Senda, Hiroki Hamada, Igarashi Univ., Katsumi Takahashi, “Reconsideration of Lightweight Verifiable 3-Party Secret Function Calculation”, In CSS, 2010. Hiroki Hirota, Dai Igarashi, Koji Senda, Katsumi Takahashi, “Random replacement protocol for computing three-party secret functions”, In CSS, 2010.

  Normally, when sorting records in a table with multiple records, there are two types of elements included in the records: elements (values) that are used directly in the calculation of sorts and elements (values) that are not used in the calculation of sorting It is divided into. For example, if each record is a set of four elements (age, gender, weight, annual income) and you want to sort in ascending order by weight, the age, gender, and annual income elements of each record are used directly in the calculation of the sort. I will not. However, in the prior art, when records are rearranged by sorting or the like, rearrangement is performed including elements (values) that are not directly used for calculation of sorting, and the calculation efficiency is poor. Further, in processing such as sorting in secret calculation, it is necessary to perform rearrangement so that no one knows the correspondence before and after sorting in order to hide information. For this reason, if an element that is not necessary for sorting is separated from an element that is necessary for sorting, elements that were originally the same record cannot be connected after the sorting is completed.

  In the present invention, even when sorting by secret calculation is performed only on a table including elements necessary for sorting among two or more tables corresponding to each record, the records of all the tables are arranged after the sorting is completed. The purpose is to provide technology that connects the two.

The secret matching system of the present invention is composed of three or more secret matching devices, each consisting of M records x _1j ,..., X _Mj , and J tables [X ₁ ], From the table [X _1S ],..., [X _JS ] after the predetermined processing is applied to... [X _J ], the tables X _1S,. , X Calculate a secret-distributed table corresponding to the table in which the _JS records are rearranged. Here, M is an integer greater than or equal to 2, J is an integer greater than or equal to 2, i and j are integers greater than or equal to 1 and less than or equal to J, [] is a symbol indicating information in which information in parentheses is secretly shared for each element, Includes processing for rearranging records for at least one table, [h _jS ] is a vector corresponding to the vector [h _j ] after the predetermined processing, and [X _jS ] is the predetermined A table corresponding to the table [X _j ] after the above processing. Note that, as described above, in the predetermined processing, no processing may be performed on some tables. When no processing is performed, [X _jS ] = [X _j ].

The secret matching system of the present invention includes correspondence vector generation means, correspondence random replacement means, correspondence vector decoding means, and correspondence rearrangement means. Corresponding vector generation means generates a vector h _a having M different values to the element, obtains the vector [h _a] each element of the vector h _a by secret sharing, randomly substituted vector [h _a] To obtain the vector [h]. For j = 1 to J, correspondence is maintained even if each element of the same vector [h _j ] as the vector [h] is subjected to the predetermined processing on each record of the table [X _j ]. Associate. Corresponding for random substitution means, for j = 1 to J, Table _{[X jS]} vector _{[h jS]} and the records corresponding with the remains secure computing maintaining the random replacement, table _{[X jR} which are randomly substituted ] And a vector [h _jR ]. Corresponding for vector decoding unit, the vector _[h 1R], ..., and decodes the _{[h JR]} vector _h 1R, _..., determine the _{h JR.} The correspondence rearranging means sets h _jR = h _iR for the records in the table [X _jR ] (where j = 1,..., J and j ≠ i) other than the table [X _iR ] that maintains the record order. Rearrange as follows.

  According to the secret matching system of the present invention, it is possible to realize a technique frequently used on a normal computer by secret calculation, in which, when sorting or the like, it is only necessary to move the pointer instead of moving the data body. When sorting is performed on a secret calculation, since it is necessary to hide information, processing is performed so that no one knows the correspondence between data before and after sorting. Therefore, if the table records are simply divided to create two or more tables, the corresponding records cannot be matched after sorting. In the secret matching system of the present invention, data corresponding to marks are provided in advance between corresponding records. Then, after processing such as sorting is completed, corresponding records can be linked even if the correspondence is not known in the middle by using this mark. As described above, according to the secret matching system of the present invention, it is possible to sort only by a portion necessary for sorting and to move other portions after the sorting is completed, so that the calculation efficiency can be improved. .

1 is a diagram illustrating a functional configuration example of a secret matching system according to Embodiment 1. FIG. The figure which shows the processing flow of the secret matching system of Example 1. FIG. FIG. 6 is a diagram illustrating a functional configuration example of a secret matching system according to a second embodiment. The figure which shows the processing flow of the secret matching system of Example 2. FIG. FIG. 10 is a diagram illustrating a functional configuration example of a secret matching system according to a third embodiment. The figure which shows the processing flow of the secret matching system of Example 3. FIG. It shows a secret matching system showing in detail an example of the functional configuration of a secret sharing apparatus 100 _n which can be utilized in the present invention. The figure which shows the example of the 1st process flow of random substitution. The figure which shows the 2nd processing flow example of random substitution.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the structure part which has the same function, and duplication description is abbreviate | omitted.

FIG. 1 shows a functional configuration example of the secret matching system according to the first embodiment. FIG. 2 shows a processing flow of the secret matching system of the first embodiment. The secret matching system according to the first embodiment includes N secret matching devices 10 ₁ ,..., 10 _N connected via a network 1000. Then, the secret matching system of the first embodiment, M-number of records _x 1j, respectively, _..., J-number of table records together consist _{x Mj} is associated _[X 1], ..., with respect to _{[X J]} The tables X _1S ,..., X _JS are rearranged from the tables [X _1S ],..., [X _JS ] after the predetermined processing is performed so that the associated records are in the same order. Calculate the secret-distributed table corresponding to the table. Here, M is an integer greater than or equal to 2, N is an integer greater than or equal to 3, J is an integer greater than or equal to 2, n is an integer greater than or equal to 1 and less than or equal to N, i and j are integers greater than or equal to 1 and less than or equal to J, and [] are parentheses. Symbol indicating information in which information is secretly distributed for each element, predetermined processing includes processing for rearranging records for at least one table, [h _jS ] is a vector [h _jS after predetermined processing vector corresponding to _j], and the table corresponding to _{[X jS]} Table after predetermined processing _{[X j].} Note that, as described above, in the predetermined processing, no processing may be performed on some tables. When no processing is performed, [X _jS ] = [X _j ].

The secret matching device 10 _n includes a matching control unit 300 _n , a secret sharing device 100 _n , and a recording unit 190 _n . The secret sharing apparatus 100 _n performs individual secret calculations necessary for the processing of the first embodiment in accordance with instructions from the matching control unit 300 _n . Individual secret calculations required for the processing of the present invention include secret sharing, decryption, and random replacement. However, the present invention efficiently sorts using these secret calculations, and is not an invention characterized by the secret calculation itself. Therefore, an example of the secret calculation will be described later, and a description thereof will be omitted to facilitate understanding of the points of the present invention. Note that the secret calculation method described below is an example, and does not limit the secret calculation that can be used by the present invention. The recording unit 190 _n is a component that records information necessary for processing of the secret matching device 10 _n . The selection means 105 shown in FIG. 1 is used in the secret calculation described later, but may not be provided depending on the secret calculation to be used.

The matching control unit 300 _n of each secret matching device 10 _n includes a correspondence vector generation unit 310 _n , a correspondence random replacement unit 320 _n , a correspondence vector decoding unit 330 _n , and a correspondence rearrangement unit 340 _n . And the corresponding vector generation means 310 (not shown) of the secret matching system is constituted by the corresponding vector generation units 310 ₁ ,..., 310 _N , and the corresponding random replacement means 320 (not shown) random permutation unit ₃₂₀ 1, ..., 320 is composed of _N, corresponding for vector decoding unit 330 (not shown) corresponding for vector decoding unit ₃₃₀ 1, ..., it is composed of 330 _N, corresponding for rearranging unit 340 ( (Not shown) is composed of correspondence rearranging units 340 ₁ ,..., 340 _N.

Corresponding vector generation unit 310 generates a vector h _a having M different values to the element, obtains the vector [h _a] each element of the vector h _a by secret sharing, random vector [h _a] The vector [h] is obtained by replacement. For j = 1 to _J , each element of the same vector [h _j ] as the vector [h] is associated with each record of the table [X _j ] so that the correspondence is maintained even if a predetermined process is performed. (S310). More specifically, the corresponding vector generation unit ₃₁₀ 1, ..., 310 _N (corresponding vector generation means 310) generates the vector _{h a} having M different values to the elements, the secret sharing apparatus ₁₀₀ 1, .., 100 _N , each element of the vector h _a is secretly distributed to obtain the vector [h _a ], and the vector [h _a ] is randomly replaced to obtain the vector [h]. Then, for j = 1 to _J , each element of the same vector [h _j ] as that of the vector [h] is associated with each record of the table [X _j ].

Next, predetermined processing that may change the order of records such as sorting is performed on a part or all of the table [X ₁ ],..., [X _J ], and the processed table [X _1S ], [ _XJS ] are obtained (S315). Therefore, in the table [X _1S ],..., [X _JS ], there is a possibility that the records that originally corresponded are in different orders.

  Note that the predetermined processing in step S315 may be performed by combining the following four arithmetic operations for secret calculation and logical operations for secret calculation. For example, if x = y is confirmed by a secret calculation, it can be realized by using a logic circuit technique stored as a conventional technique. For example, you may confirm as follows by negation of the logical sum of the exclusive OR of each bit which expanded x and y 2 bits.

_{C = 1 - {(x B} [∨] y B) ∨ ··· ∨ (x 1 [∨] y 1)} (1)
However, [∨] is a symbol indicating an exclusive OR (XOR), ∨ symbols indicating the logical sum (OR), x _b is b-th bit value from the bottom of x when the 2-bit expansion, y _b is The value of the b bit from the bottom of y when 2-bit expansion is performed, and B is the number of digits of x and y when 2-bit expansion is performed. In Expression (1), if C = 1, x = y (true), and if C = 0, x ≠ y (false). In addition, since each calculation of Expression (1) is shown in an example of secret calculation described later, the calculation of Expression (1) can be executed by secret calculation, and secret-distributed [C] is obtained. Therefore, if the branch after confirmation is also kept secret, the secret calculation using [C] may be further combined. Note that the secret calculation described later covers the basic calculation methods for secret sharing of numerical values, decryption of secret-distributed fragments, four arithmetic operations of secret-distributed numerical values, and logical operations for each secret-distributed bit. ing. Therefore, if the logic circuit technique accumulated as the conventional technique is used, a desired calculation can be executed by a combination of secret calculation methods to be described later, like the above-described method of confirming equality.

Corresponding random replacement means 320 performs random replacement between records by secret calculation while maintaining the correspondence between table [X _jS ] and vector [h _jS ] for j = 1 to J, and randomly replaces the table [X _jR ] and the vector [h _jR ] are obtained (S320). More specifically, the corresponding random replacement unit 320 ₁ ,..., 320 _N (corresponding random replacement means 320) is _{configured to store} each record of the table [X _jS ] and the vector [h _jS ] for j = 1 to J. The secret sharing apparatus 100 ₁ ,..., 100 _N performs random replacement by the same bijection for each element, and obtains the randomly replaced table [X _jR ] and vector [h _jR ].

The corresponding vector decoding means 330 decodes the vectors [h _1R ],..., [H _JR ] to obtain the vectors h _1R ,..., H _JR (S330). More specifically, the corresponding vector decryption units 330 ₁ ,..., 330 _N (corresponding vector decryption means 330) _apply the vectors [h _1R ],..., [H _{JR to the} secret sharing apparatuses 100 _{1 ,.} ] To obtain vectors h _1R ,..., H _JR .

The correspondence rearranging means 340 rearranges the records in the table [X _jR ] so that h _jR = h _iR for all combinations of j and i (S340). More specifically, the correspondence sorting unit 340 ₁ ,..., 340 _N (corresponding sorting means 340) specifies a table [X _iR ] that maintains the record order. Then, the records in the table [X _jR ] (where j = 1,..., J and j ≠ i) other than the table [X _iR ] may be rearranged so that h _jR = h _iR .

In the secret matching system of the present embodiment, a vector [h _j ] is associated with each record as data serving as a mark between corresponding records in advance. Then, after processing such as sorting is completed, corresponding records can be linked even if the correspondence is not known in the middle by using this mark. As described above, according to the secret matching system of the present embodiment, it is possible to sort only by a portion necessary for sorting and to move other portions after the sorting is completed, thereby improving calculation efficiency. it can.

FIG. 3 shows a functional configuration example of the secret matching system according to the second embodiment. FIG. 4 shows a processing flow of the secret matching system according to the second embodiment. The secret matching system according to the second embodiment includes N secret matching devices 20 ₁ ,..., 20 _N connected via a network 1000. The secret matching system according to the second embodiment sorts using some or all elements of each record of the table [X ₁ ] having M records. Also, nothing is performed on the table [X ₂ ]. Here, M is an integer of 2 or more, N is an integer of 3 or more, J = 2, n is an integer of 1 to N, j is an integer of 1 to J, and [] is information in parentheses for each element. It is a symbol indicating information that is secretly shared.

The secret matching device 20 _n includes a matching control unit 400 _n , a secret sharing device 100 _n , and a recording unit 190 _n . The secret sharing apparatus 100 _n performs individual secret calculations necessary for the processing of the second embodiment in accordance with instructions from the matching control unit 400 _n . However, since the present invention efficiently sorts using these secret calculations and is not an invention characterized by the secret calculation itself, the secret calculation will be described later with reference to an example. The description in is omitted.

The matching control unit 400 _n of each secret matching device 20 _n includes a corresponding vector generation unit 310 _n , a corresponding random replacement unit 320 _n , a corresponding vector decoding unit 330 _n , a corresponding rearrangement unit 340 _n , and a table division unit 405. _n , a vector combination unit 450 _n , a table combination unit 460 _n , a table random replacement unit 470 _n , a sorting vector decoding unit 480 _n , and a sort unit 490 _n . And the corresponding vector generation means 310 (not shown) of the secret matching system is constituted by the corresponding vector generation units 310 ₁ ,..., 310 _N , and the corresponding random replacement means 320 (not shown) random permutation unit ₃₂₀ 1, ..., 320 is composed of _N, corresponding for vector decoding unit 330 (not shown) corresponding for vector decoding unit ₃₃₀ 1, ..., it is composed of 330 _N, corresponding for rearranging unit 340 ( illustrated not) corresponding for rearranging unit ₃₄₀ 1, ..., is composed of 340 _N, the table division means 405 (not shown) which consists of a table division unit ₄₀₅ 1, ..., 405 _N, a vector connecting means 450 (not shown) is the vector combining unit ₄₅₀ 1, ..., is composed of 450 _N, the table coupling means 460 (not shown) Table coupling portion 460 ₁ ..., is composed of 460 _N, Table random permutation unit 470 (not shown) Table random permutation unit ₄₇₀ 1, ..., 470 is composed of _N, (not shown) for sorting vector decoding unit 480 for sorting vector decoding unit ₄₈₀ 1, ..., it is composed of 480 _N, sorting means 490 (not shown) sorting unit ₄₉₀ 1, ..., and a 490 _N.

The table dividing unit 405 divides the table [X] into the table [X ₁ ] and the table [X ₂ ] so that the table [X ₁ ] includes at least elements used for predetermined processing (S405). More specifically, the table partitioning unit 405 ₁ ,..., 405 _N (table partitioning unit 405) stores the table [X] in the secret sharing apparatuses 100 ₁ ,..., 100 _N and M records x _1j , .., X _Mj is divided into a table [X ₁ ] and a table [X ₂ ] in which records are associated with each other.

Corresponding vector generation unit 310 generates a vector h _a having M different values to the element, obtains the vector [h _a] each element of the vector h _a by secret sharing, random vector [h _a] The vector [h] is obtained by replacement. For j = 1, 2, each element of the same vector [h _j ] as that of the vector [h] is associated with each record of the table [X _j ] so that the correspondence is maintained even if a predetermined process is performed. (S310). More specifically, the corresponding vector generation unit ₃₁₀ 1, ..., 310 _N (corresponding vector generation means 310) generates the vector _{h a} having M different values to the elements, the secret sharing apparatus ₁₀₀ 1, .., 100 _N , each element of the vector h _a is secretly distributed to obtain the vector [h _a ], and the vector [h _a ] is randomly replaced to obtain the vector [h]. Then, for j = 1, 2, each element of the same vector [h _j ] as the vector [h] is associated with each record of the table [X _j ].

Then, a predetermined process that could order the record changes, run against the table _{[X 1],} the table after processing _{[X 1S]} and obtain a table _{[X 2S]} (S315). Note that since the table [X ₂ ] is a table composed of only elements not related to sorting, the sorting is not executed. Therefore, the order of the records in the table [X _1S ] and the table [X _2S ] may be different.

The vector combining unit 450 creates a vector c composed of M elements having different values, secretly distributes each element to obtain a vector [c], and after a predetermined process, converts each element of the vector [c] Corresponding to each record of the table [X _1S ], the correspondence is maintained (S450). More specifically, the vector combination units 450 ₁ ,..., 450 _N (vector combination means 450) create a vector c composed of M elements having different values, and secret sharing apparatuses 100 _{1 ,.} The vector [c] is obtained by secretly sharing each element. Then, after predetermined processing (for example, processing that the table [X ₁ ] is sorted based on specific elements and nothing is performed on the table [X ₂ ]), each element of the vector [c] is displayed. [X _1S ] is associated with each record so that the correspondence is maintained. Each element of the vector c is a value for indicating the order of each record in the table. For example, a value from 1 to M may be used. However, it is not necessary to limit the value from 1 to M. In addition, since nothing is performed on the table [X ₂ ], [X _2S ] = [X ₂ ].

The correspondence random replacement means 320 performs random replacement between records by secret calculation while maintaining the correspondence between the table [X _jS ] and the vector [h _jS ] for j = 1, 2, and the randomly replaced table [X _jR ] and the vector [h _jR ] are obtained (S320). More specifically, the corresponding random replacement unit 320 ₁ ,..., 320 _N (corresponding random replacement means 320) is _{configured to store} each record of the table [X _jS ] and the vector [h _jS ] for j = 1, 2. The secret sharing apparatus 100 ₁ ,..., 100 _N performs random replacement by the same bijection for each element, and obtains the randomly replaced table [X _jR ] and vector [h _jR ].

The corresponding vector decoding means 330 decodes the vectors [h _1R ] and [h _2R ] to obtain the vectors h _1R and h _2R (S330). More specifically, the corresponding vector decryption units 330 ₁ ,..., 330 _N (corresponding vector decryption means 330) _assign the vectors [h _1R ], [h _2R ] to the secret sharing apparatuses 100 _{1 ,.} Decoding is performed to obtain vectors h _1R and h _2R .

The correspondence rearranging means 340 rearranges the records in the table [X _2R ] so that h _2R = h _1R (S340). More specifically, the correspondence rearrangement unit 340 ₁ ,..., 340 _N (correspondence rearrangement means 340) sets the records in the table [X _2R ] other than the table [X _1R ] to h _2R = h _1R. Rearrange as follows.

The table combining unit 460 combines the tables [X _1R ] and [X _2R ] to obtain the table [X _R ] (S460). More specifically, the table coupling units 460 ₁ ,..., 460 _N (table coupling unit 460) associate the vectors [h _1R ] and [h _2R ] with the tables [X _1R ] and [X _2R ]. The table [X _1R ] and [X _2R ] are combined to obtain the table [X _R ].

The table random replacement means 470 randomly replaces the records in the table [X _R ] by secret calculation to obtain the table [X _RR ] (S470). More specifically, Table random permutation unit ₄₇₀ 1, ..., 470 _N (Table random replacement unit 470), the random secret sharing apparatus ₁₀₀ 1, ..., to 100 _N through the records in the table _{[X R]} in secure computing Substitution is made to obtain the table [X _RR ].

The sorting vector decoding unit 480 decodes the vector [c _RR ] after the processing by the table random replacement unit 470 of the vector [c] associated with the table [X _1S ] to obtain the vector c _RR (S480). More specifically, the vector [c] associated with the table [X _1S ] is randomly replaced by the processing of the table random replacement means 470 to become a vector [c _RR ]. The sorting vector decoding units 480 ₁ ,..., 480 _N (sorting vector decoding means 480) cancel the association between the vector [c _RR ] and the table [X _RR ], and the secret sharing apparatus 100 ₁ ,. , 100 _N decode the vector [c _RR ] to obtain the vector c _RR .

The sorting means 490 moves each record of the table [X _RR ] so that each element of the vector c _RR matches each element of the vector c (S490). For example, if the vector c is a vector arranged in order from 1 to M, the sorting means (S490) moves the records of the table [X _RR ] in the order indicated by the elements of the vector c _RR. Good (S490).

The secret matching system of the present embodiment also associates a vector [h _j ] with each record as data that serves as a mark between corresponding records in advance. Then, after processing such as sorting is completed, corresponding records can be linked even if the correspondence is not known in the middle by using this mark. Further, before a predetermined process (a process in which the order of records may be changed like sort), a table [X ₁ ] including elements necessary for the predetermined process and a table including elements not required for the predetermined process The table [X] is divided into [X ₂ ], the predetermined process is performed only on the table [X ₁ ], and the table [X ₂ ] is joined after the predetermined process is completed. Since the order of records is returned to the later order, the calculation efficiency can be improved.

FIG. 5 shows a functional configuration example of the secret matching system according to the third embodiment. FIG. 6 shows a processing flow of the secret matching system according to the third embodiment. The secret matching system according to the third embodiment includes N secret matching devices 30 ₁ ,..., 30 _N connected via a network 1000. Then, in the secret matching system of Example 3, predetermined processing B number of process F _1, ..., consisting of F _B. The process F _b is a process that uses part or all of the table [X ₁ ],..., [X _J ] having M records. The predetermined process is a process determined for each process F _b , and a table used for the process is also determined for each process F _b . Here, M is an integer of 2 or more, N is an integer of 3 or more, J is an integer of 2 or more, n is an integer of 1 to N, i and j are integers of 1 to J, and B is an integer of 1 or more , B is an integer from 1 to B, D is an integer from 1 to J, d is an integer from 1 to D, b (1),..., B (D) are different integers from 1 to D, D ′ Is an integer of 1 or more, and [] is a symbol indicating information in which information in parentheses is secretly shared for each element.

The secret matching device 30 _n includes a matching control unit 500 _n , a secret sharing device 100 _n , and a recording unit 190 _n . The secret sharing apparatus 100 _n performs individual secret calculations necessary for the processing of the third embodiment in accordance with instructions from the matching control unit 500 _n . However, since the present invention efficiently sorts using these secret calculations and is not an invention characterized by the secret calculation itself, the secret calculation will be described later with reference to an example. The description in is omitted.

The matching control unit 500 _n of each secret matching device 30 _n includes a corresponding vector generation unit 310 _n , a corresponding random replacement unit 320 _n , a corresponding vector decoding unit 330 _n , a corresponding rearrangement unit 340 _n , and a table partitioning unit 505. _n , a processing random replacement unit 520 _n , a processing vector decoding unit 530 _n , a processing rearranging unit 540 _n , a processing vector corresponding unit 550 _n , a processing unit 560 _n , and a processing repeating unit 570 _n . And the corresponding vector generation means 310 (not shown) of the secret matching system is constituted by the corresponding vector generation units 310 ₁ ,..., 310 _N , and the corresponding random replacement means 320 (not shown) random permutation unit ₃₂₀ 1, ..., 320 is composed of _N, corresponding for vector decoding unit 330 (not shown) corresponding for vector decoding unit ₃₃₀ 1, ..., it is composed of 330 _N, corresponding for rearranging unit 340 ( illustrated not) corresponding for rearranging unit ₃₄₀ 1, ..., is composed of 340 _N, the table division means 505 (not shown) table partitioning unit ₅₀₅ 1, ..., is composed of 505 _N, a random for processing replacing means 520 (not shown) for processing random permutation unit ₅₂₀ 1, ..., is composed of 520 _N, the processing vector decoding unit 530 (do not illustrated ) Is processing vector decoding unit ₅₃₀ 1, ..., is composed of 530 _N, the processing rearranging unit 540 (not shown) processing rearranging unit ₅₄₀ 1, ..., is composed of 540 _N, the processing vector corresponding means 550 (not shown) processing vector corresponding unit ₅₅₀ 1, ..., is composed of 550 _N, the processing means 560 (not shown) processing unit ₅₆₀ 1, ..., is composed of 560 _N, the processing use repetition unit 570 (not shown) processing repeat unit ₅₇₀ 1, ..., and a 570 _N.

The table dividing means 505 divides the table [X] into J pieces and obtains the table [X ₁ ],..., [X _J ] (S505). More specifically, the table division unit ₅₀₅ 1, ..., 505 _N (Table dividing means 505), the table [X], M number of records _x 1j, respectively, _..., records each other consist _{x Mj} is associated Is divided into _J tables [X ₁ ],..., [X _J ]. These tables _{[X 1], ..., [} X J] is Example 1 Table _[X 1], ..., is the same as _{[X J].} The table partitioning means 505 generates a table [c ₀ ] generated by secret sharing each element of the vector c ₀ = (1, 2,..., M) ^T (where T indicates transposition). May be included in _J tables [X ₁ ],..., [X _J ]. As described above, the J tables may include elements other than those included in the table [X].

Corresponding vector generation unit 310 generates a vector h _a having M different values to the element, obtains the vector [h _a] each element of the vector h _a by secret sharing, random vector [h _a] The vector [h] is obtained by replacement. For j = 1 to _J , each element of the same vector [h _j ] as the vector [h] is associated with each record of the table [X _j ] so that the correspondence is maintained even if a predetermined process is performed. (S310). More specifically, the corresponding vector generation unit ₃₁₀ 1, ..., 310 _N (corresponding vector generation means 310) generates the vector _{h a} having M different values to the elements, the secret sharing apparatus ₁₀₀ 1, .., 100 _N , each element of the vector h _a is secretly distributed to obtain the vector [h _a ], and the vector [h _a ] is randomly replaced to obtain the vector [h]. Then, for j = 1 to _J , each element of the same vector [h _j ] as that of the vector [h] is associated with each record of the table [X _j ].

The processing repeater 570 (processing repeater 570 ₁ ,..., 570 _N ) substitutes 1 for b and initializes the repetitive processing (S571).

The processing random replacement means 520 selects a table [X _{b (1)} ],..., [X _{b (D)} ] having elements necessary for the processing F _b , and b (d) = b (1),. For b (D), records are randomly replaced by secret calculation while maintaining the correspondence between the table [X _{b (d)} ] and the vector [h _{b (d)} ], and the randomly replaced table [X _{b (d ) R} ] and a vector [h _{b (d) R} ] are obtained (S520). More specifically, processing random permutation unit ₅₂₀ 1, ..., 520 _N (processing random replacement unit 520), Table _{[X b (1)]} having the elements necessary to process _{F b,} ..., [X _{b (D)} ] is selected from the table [X ₁ ],..., [X _J ]. Here, D is an integer of 1 to J determined for each b. For example, if two tables are selected for the process F ₁ and three tables are selected for the process F ₂ , D = 2 when b = 1 and D = 3 when b = 2. In addition, b (1),..., B (D) is any number from 1 to J, and need not be arranged in order as b (1) <. For example, b (D) may be assigned to a higher priority in sorting processing, and b (1) may be assigned to a lower priority. Then, the processing random replacement units 520 ₁ ,..., 520 _N (processing random replacement means 520) use the table [X _{b (d)} ] for b (d) = b (1 ₎ ,. secret sharing apparatus ₁₀₀ 1 random substitution by the same bijective for each element of each record and the vector _{[h b (d)]} of, ..., 100 is performed in _N, randomly substituted table _{[X b ( d) R} ] and the vector [h _{b (d) R} ] are obtained. Note that “the same bijection for each record of the table [X _{b (d)} ] and each element of the vector [h _{b (d)} ]” means that the same table [X _{b (d)} ] between the same d. The same bijection is sufficient for the records and the elements of the vector [h _{b (d)} ].

The processing vector decoding means 530 decodes the vectors [h _{b (1) R} ],..., [H _{b (D) R} ] to obtain the vectors h _{b (1) R} ,..., H _{b (D) R.} (S530). More specifically, processing vector decoding unit ₅₃₀ 1, ..., 530 _N (processing vector decoding unit 530), secret sharing apparatus ₁₀₀ 1, ..., vector _{100 N [h b (1)} R], ... , [H _{b (D) R} ] is decoded to obtain a vector h _{b (1) R} ,..., H _{b (D) R.}

The processing reordering unit 540 sets h _{b (i) R} = h _b for all combinations of b (i) and b (d) (where i is any one of 1,..., D). _(D) The records of the table [ _{Xb (d) R} ] are rearranged so as to be _R, and the table [ _{Xb (1) T} ],..., [ _{Xb (D) T} ] is obtained (S540). More specifically, the processing rearrangement units 540 ₁ ,..., 540 _N (processing rearrangement unit 540) convert the table [ _{Xb (i) R} ] that maintains the record order into the table [ _{Xb ( 1) R} ],..., [ _{Xb (D) R} ] are specified. Then, records other than the table [ _{Xb (i) R} ] [ _{Xb (d) R} ] (b (d) ≠ b (i)) are changed to hb _{(i) R} = _{hb (d) R.} The table [ _{Xb (1) T} ],..., [ _{Xb (D) T} ] is obtained.

Processing vector corresponding means 550, the vector _{h b (i)} each element of a vector the elements were secret sharing of _{R [h b (i) R} ] Table _{[X b (1) T]} , ..., [X b _(D) Corresponding to each record of _T ] so that the correspondence is maintained even if the processing F _b is performed (S550). More specifically, processing vector corresponding unit ₅₅₀ 1, ..., 550 _N (processing vector corresponding means 550), the secret sharing apparatus ₁₀₀ 1, ..., each element of the vector _{h b (i) R} to 100 _N The vector [h _{b (i) R} ] is obtained by secret sharing. The correspondence is maintained even if the elements of the vector [h _{b (i) R} ] are subjected to the processing F _b for each record of the table [X _{b (1) T} ],..., [X _{b (D) T} ]. Correlate as

The processing means 560 performs the processing F _b on the table [X _{b (1) T} ],..., [X _{b (D) T} ] associated with the vector [h _{b (i) R} ], and performs processing F _b after the vector _{[h b (i) F]} is associated with process _{F b} after the table _{[X b (1) F]} , ..., obtaining the _{[X b (D ') F} ]. Then, predetermined J ′ vectors and tables are set so that there are zero or more from the J tables before the processing F _b and one or more from the D ′ tables after the processing F _b. Then, J ′ is updated to a new J, and a vector [h _jbS ] and a table [X _1bS ],..., [X _JbS ] after processing F _b are obtained (S560). For example, D '= a D, processing _{F b} after the table _{[X b (1) F]} , ..., [X b (D' _{a) F],} corresponding processing _{F b} previous table _{[X b (1 )],} ..., if replaced by _{[X b (D)],} since the J '= J, the number J of the table remains the same. Further, Table after treatment _{F b [X b (1)} F], ..., [X b (D ') F] may be simply added, in this case J' is = J + D ', the number of table J Increases by D '. More specifically, the processing units 560 ₁ ,..., 560 _N (processing unit 560) maintain the correspondence of the vector [h _{b (i) R} ] while maintaining the table [X _{b (1) T} ],. performs processing _{F b} against _{[X b (D) T]} , vector after processing _{F b [h b (i)} F] Table after treatment _{F b} associated is _{[X b (1) F} ], ..., [ _{Xb (D ') F} ] is obtained. Then, predetermined J ′ vectors and tables are set so that there are zero or more from the J tables before the processing F _b and one or more from the D ′ tables after the processing F _b. extracted, and updates the J 'on the new J, vector after processing _{F b [h jbS]} and Table _[X 1BS], _..., and _{[X JbS].}

The processing repeater 570 (processing repeater 570 ₁ ,..., 570 _N ) checks whether b = B. If Yes, the vector [h _jbS ] is changed to the vector [h _jS ] and the table [X _{1bS is set. ],} ..., _{[X JbS]} Table _[X 1S] a, ..., the process proceeds to step S320 as _{[X JS].} In the case of No, the vector [h _jbS ] is changed to the vector [h _j ], the table [X _1bS ],..., [X _JbS ] is changed to the table [X ₁ ], ..., [X _J ], and the process proceeds to step S573 (S572). . In step S573, the processing repeater 570 (processing repeater 570 ₁ ,..., 570 _N ) substitutes b + 1 for b, and returns to step S520.

Corresponding random replacement means 320 performs random replacement between records by secret calculation while maintaining the correspondence between table [X _jS ] and vector [h _jS ] for j = 1 to J, and randomly replaces the table [X _jR ] and the vector [h _jR ] are obtained (S320). More specifically, the corresponding random replacement unit 320 ₁ ,..., 320 _N (corresponding random replacement means 320) is _{configured to store} each record of the table [X _jS ] and the vector [h _jS ] for j = 1 to J. The secret sharing apparatus 100 ₁ ,..., 100 _N performs random replacement by the same bijection for each element, and obtains the randomly replaced table [X _jR ] and vector [h _jR ].

The corresponding vector decoding means 330 decodes the vectors [h _1R ],..., [H _JR ] to obtain the vectors h _1R ,..., H _JR (S330). More specifically, the corresponding vector decryption units 330 ₁ ,..., 330 _N (corresponding vector decryption means 330) _apply the vectors [h _1R ],..., [H _{JR to the} secret sharing apparatuses 100 _{1 ,.} ] To obtain vectors h _1R ,..., H _JR .

The correspondence rearranging means 340 sets the records in the table [X _jR ] (where j = 1,..., J and j ≠ i) other than the table [X _iR ] that maintains the record order as h _jR = h _iR . They are rearranged as follows (S340). More specifically, the correspondence sorting unit 340 ₁ ,..., 340 _N (corresponding sorting means 340) specifies a table [X _iR ] (a table including elements to be sorted). Then, the records in the table [X _jR ] (where j = 1,..., J and j ≠ i) other than the table [X _iR ] are rearranged so that h _jR = h _iR .

A specific example of the third embodiment will be described. For example Table Each attribute value as the M records elements of _{[X] [v} m], key _[k m1], ..., and has a _{[k mB].} A case will be described in which sorting is performed in the order of the keys [k _m1 ],..., [K _mB ]. That is, the process F _b is a process for performing sorting based on the keys [k _1b ],..., [K _Mb ].

Table splitting means 505, table [X] elements _{[v m], [k m1} ], ..., [k mB] Table _[v] by dividing _each, [k 1], ..., a _{[k B]} Ask. Further, a vector [c ₀ ] obtained by secret sharing each element of the vector c ₀ = (1, 2,..., M) ^T (where T represents transposition) is represented as a table [c ₀ ] (S505). ). In this case, J = B + 2, table [v] is table [X ₁ ], table [k ₁ ] is table [X ₂ ],..., Table [k _B ] is table [X _J-1 ], table [C ₀ ] corresponds to the table [X _J ].

The corresponding vector generation means 310 obtains a vector [h _a ] obtained by secretly distributing each element of the vector h _a = (1, 2,..., M) ^T (where T indicates transposition). The vector [h] is obtained by randomly replacing [h _a ]. Then, for j = 1 to _J , each element of the same vector [h _j ] as the vector [h] is recorded in each record of the tables [v], [k ₁ ],..., [K _B ], [c ₀ ]. Corresponding so that the correspondence is maintained even if the predetermined processing is performed (S310).

The processing repeater 570 (processing repeater 570 ₁ ,..., 570 _N ) substitutes 1 for b and initializes the repetitive processing (S571).

The processing random replacement means 520 selects tables [v], [k _b ], and [c _b-1 ] as tables having elements necessary for the process F _b . That is, D = 3, the table [v] is the table [X _{b (1)} ], the table [k _b ] is the table [X _{b (2)} ], and the table [c _b−1 ] is the table [X _{b ( 3)} Corresponds to]. The processing random replacement means 520 performs random replacement between records by secret calculation while maintaining the correspondence between the table [v] and the vector [h _{b (1)} ], and the table [k _b ] and the vector [h _{b (2 )]} were randomly replaced through the records corresponding as-in secure computing maintaining the random substitution of the records in the table [c _b-1] and vector [h b ₍₃₎ while maintaining the correspondence between secure computing To do. Then, the randomly substituted tables [v _R ], [k _bR ], [c _b-1R ] and the vectors [h _{b (1) R} ], [h _{b (2) R} ], [h _{b (3) R} ] Is obtained (S520).

The processing vector decoding means 530 decodes the vectors [h _{b (1) R} ], [h _{b (2) R} ], [h _{b (3) R} ], and the vectors h _{b (1) R} , h _{b ( 2) R 1} , h _{b (3) R} is obtained (S530).

The processing reordering unit 540 sets h _{b (i) R} = h _b for all combinations of b (i) and b (d) (where i is any one of 1,..., D). _(D) The records in the tables [v _R ], [k _bR ], and [c _b-1R ] are rearranged so as to be _R , and the tables [v _T ], [k _bT ], and [c _b-1T ] are obtained. (S540).

Processing vector corresponding unit 550, a vector the elements were secret sharing of the vector _{h b (i) R [h} b (i) R] Table _{[v T]} each element _{of, [k bT], [c} b- _1T ] is associated with each record so that the correspondence is maintained even if the process _Fb is performed (S550).

The processing unit 560 performs the process F _b on the tables [v _T ], [k _bT ], and [c _b−1T ] associated with the vector [h _{b (i) R} ]. For example, F _b decodes table [c _b-1T ] to obtain table c _b-1T . Then, the table [v _T ] is sorted according to the table c _{b-1T and the} table [v _T ] is sorted according to the table [k _bT ] to obtain the table [v _NEW ]. Further, the table [c _b ] is obtained by secretly sharing each element of the vector c _b = (1, 2,..., M) ^T (where T indicates transposition). That is, the D ′ tables after the process F _b are the table [v _NEW ] and the table [c _b ], and D ′ = 2. Then, the tables [k _{b + 1} ],..., [K _B ], [v _NEW ], [c _b ] are extracted and set as J ′ vectors. That is, J ′ = B−b + 2. Then, J ′ is updated to the new J, the table [v _NEW ] is changed to the new table [v], the vector [h _jbS ] after the processing F _b and the tables [k _{b + 1} ],..., [K _B ], [v ] And [c _b ] are obtained (S560).

The process _repeater 570 checks whether b = B, and if yes, sets the vector [h _jBS ] as the vector [h _jS ] and proceeds to step S320. In the case of No, the vector [h _jbS ] is set as the vector [h _j ], and the process proceeds to step S573 (S572). In step S573, the processing repeater 570 (processing repeater 570 ₁ ,..., 570 _N ) substitutes b + 1 for b, and returns to step S520.

Corresponding random replacement means 320 performs random replacement between records by secret calculation while maintaining the correspondence between table [v] and vector [h _1S ], and _changes the correspondence between table [c _B ] and vector [h _2S ]. While maintaining, the records are randomly replaced by secret calculation, and the randomly replaced tables [v _R ], [c _BR ] and vectors [h _1R ], [h _2R ] are obtained (S320).

The corresponding vector decoding means 330 decodes the vectors [h _1R ] and [h _2R ] to obtain the vectors h _1R and h _2R (S330).

The correspondence rearranging means 340 decodes the table [c _B ] and c _B = (1, 2,..., M) ^T (where T indicates transposition), and h _1R = h _2R Thus, the records in the table c _B and the table [v _R ] are rearranged to obtain the table [v _L ] (S340). The table [v _L ] is the desired table.

The secret matching system of the present embodiment also associates a vector [h _j ] with each record as data that serves as a mark between corresponding records in advance. Then, after processing such as sorting is completed, corresponding records can be linked even if the correspondence is not known in the middle by using this mark. Further, the table [X] is divided to obtain the tables [X ₁ ],..., [X _J ], and the tables [X _{b (1)} ] _{,. (D)} ] is selected, predetermined processing is performed only on the table [X _{b (1)} ],..., [X _{b (D)} ], and after the predetermined processing is completed, Since it returns to the inside, the calculation efficiency can be improved.

[Secret calculation]
In the above description, it is assumed that the secret calculation is not limited to one method, and no specific example is shown. In the following description, random substitution performed by the secret matching devices 10 ₁ ,..., 10 _N (20 ₁ ,..., 20 _N or 30 ₁ ,..., 30 _N ) and other secret calculations will be described. In the following description, the secret matching device 10 _n will be described, but the same applies to the secret matching devices 20 _n and 30 _n . Moreover, the following description regarding the secret calculation is an example, and the present invention is not limited to this. Other secret computations may be used in the secret matching system of the present invention.

Random replacement 1
FIG. 7 shows a secret matching system in detail showing an example of the functional configuration of the secret sharing apparatus 100 _{n that} can be used in the present invention. FIG. 8 shows a first processing flow example of random replacement. In this example, the secret matching system also includes a selection unit 105. Here, A ₁ ,..., A _K are K numerical values (K is an integer _equal to or larger than 2) that each secret matching device 10 _n records and distributes fragments, and numerical values A _k are k-th numerical values (k is 1). An integer of K or less), a _kn is a k-th fragment recorded by the secret matching device 10 _n . Note that the numerical values A ₁ ,..., _AK are numerical values to be concealed, for example, numerical values to be sorted. The numerical value group as the sorting subject, for example, numerical A _k are considered numeric group shown an annual income of each person. The selection means 105 may be disposed inside any secret matching device or may be a single device.

The secret matching system includes a selection unit, a fragment replacement unit, and a redistribution unit. The secret sharing apparatus 100 _n includes at least a fragment replacement unit 110 _n , a re-distribution unit 120 _n, and a recording unit 190 _n . The recording unit 190 _n records fragments a _1n ,..., A _Kn, etc. The recording unit 190 _n also records information on the number a fragment of the numerical value A _k that the fragment a _kn recorded by itself is.

The selection unit 105 selects a number of secret matching devices 10 _n that is less than N (S105). For example, as long as N 'pieces of N pieces are collected and secret sharing is possible to restore the numerical value, a secret matching device having N' pieces or more and less than N pieces may be selected.

The fragment replacement means includes at least the fragment replacement units 110 ₁ ,..., 110 _N. Then, {1,..., K} → {1,..., Between the fragment replacement units 110 _{i of} the secret matching device 10 _i selected by the selection means 105 (where i is a number indicating the selected secret matching device). A bijection π of K} is created, and the fragment a _{π (k) i} recorded by the recording unit 190 _{i of} the selected secret matching apparatus 10 _i is set as the kth fragment (S110). The bijection π may be obtained by simply rearranging 1 to K at random. Note that the bijection π is preferably rearranged uniformly and randomly. For example, Fisher-Yates shuffle (Reference 1: Richard Durstenfeld, “Algorithm 235: Random permutation”, Communications of the ACM archive, Volume 7, Issue 7, 1964.) etc. The bijection π may be generated between the selected secret matching devices 10 _i , or may be generated by one secret matching device among the selected secret matching devices 10 _i to select the selected secret matching device. You may share between apparatus 10 _i .

Redispersion means, at least re-dispersing section ₁₂₀ 1, ..., configured to include a 120 _N. The re-distribution means re-distributes using the fragment a _{π (k) i} (replaced k-th ₎ corresponding to the numerical value A _{π (k)} replaced by the fragment replacement means, and performs a new fragment b _k1,. , B _kN are obtained and set as a fragment of the numerical value B _k (S120). That is, the relationship of A _{π (k)} = B _k holds, but the secret matching device that was not selected does not know bijection π, and therefore does not know that A _{π (k)} = B _k . The information that each secret matching device 10 _n recording unit 190 _n of not only recording the fragment b _kn, a fragment of fragment b _kn numerical B _k is the k-th fragment itself is recorded Also record. The numerical values _B 1, ..., a _{B K} new number _A 1, ..., and _{A K,} by changing the combination of the secret matching apparatus selected by the selection means, it is possible to repeat this process (S111, S112).

According to the secret matching system of the present invention, fragments are shuffled between limited secret matching devices. Therefore, the secret matching apparatus which has not been selected, does not know the BC [pi, numerical A _1, ..., A _K and number B _1, ..., do not know the correspondence between the B _K. That is, numerical values A ₁ from a specific secret matching _apparatus, ..., A _K and number B _1, ..., If you wish to state that corresponds is not known with B _K, choose a secret matching apparatus selecting means 105 Thus, the secret matching device to be selected may be determined in advance. Further, if this process is repeated while changing the secret matching device selected by the selection means 105 and all secret matching devices have not been selected, all secret matching devices have numerical values A ₁ ,. numerical _B 1 that can not be associated with _K, ..., can be obtained _{B K.}

Random replacement 2
FIG. 7 also shows a functional configuration example showing in detail the secret sharing apparatus 100 _n of the secret matching system for the next random replacement. FIG. 9 shows a second processing flow example of random replacement. Also in this example, the secret matching system also includes a selection unit 105. Here, A ₁ ,..., A _K are K numerical values (K is an integer _equal to or larger than 2) that each secret matching device 10 _n records and distributes fragments, and numerical values A _k are k-th numerical values (k is 1). An integer of K or less), a _kn is a fragment of a numerical value A _k recorded by the secret matching device 10 _n .

The secret matching system of the present invention includes a selection unit 105, an initial information distribution unit, an initial multiplication unit, a fragment replacement unit, a redistribution unit, a confirmation distribution unit, a confirmation multiplication unit, and a falsification detection unit. The secret sharing apparatus 100 _n includes an initial information distribution unit 130 _n , an initial multiplication unit 140 _n , a fragment replacement unit 110 _n , a redistribution unit 120 _n , a confirmation distribution unit 150 _n , a confirmation multiplication unit 160 _n , and a tampering detection unit 170. _n . The recording unit 190 _n records fragments a _1n ,..., A _Kn, etc. The recording unit 190 _n also records information on the number a fragment of the numerical value A _k that the fragment a _kn recorded by itself is.

The selection means 105 is the same as the random replacement 1. Initial information distribution means, the initial information distribution unit ₁₃₀ 1, ..., and a 130 _N. The initial information distribution unit 130 _i of the secret matching apparatus 10 _i selected by the selecting means 105, the secret matching device ₁₀ 1, ..., 10 K pieces of numerical _P 1 does not know any of _N, ..., _{P K} respectively Fragments p _1n ,..., P _Kn are obtained by secret calculation and recorded in the recording unit 190 _n (S130). Specifically, two or more secret matching devices are selected from the secret matching devices selected by the selection unit 105. Then, based on the value created by the selected secret matching device, a fragment of a value unknown to any device may be created. For example, two secret matching devices 10 _i and 10 _j are selected (where i ≠ j), and a numerical fragment generated by the secret matching device 10 _i and a numerical fragment generated by the secret matching device 10 _j are distributed. Record. Then, if the sum of the two numerical values is obtained by secret calculation and the fragments are distributed and recorded so that the result is not known, the numerical fragments that are not known by all the secret matching devices can be distributed and recorded. In this example, the number of selected secret computing devices is two, but two or more may be used.

The initial multiplication means, the initial multiplier ₁₄₀ 1, ..., and a 140 _N. The initial multiplication unit ₁₄₀ 1, ..., 140 _{N is, S k = P k × A} k is a numerical value _{S k} fragment _s k1 of, _..., determined by the _{s kN} secure computing, recording unit ₁₉₀ 1, ..., to 190 _N Distributed and recorded (S140).

Fragment replacement means and redispersion means are the same as random replacement 1. The confirmation dispersion means is composed of confirmation dispersion units 150 ₁ ,..., 150 _N. The confirmation dispersion unit 150 ₁ ,..., 150 _N generates a fragment q _k1 ,..., Q _kN of the numerical value Q _k with Q k = Pπ _(k) for _k = _{1 to K} by a secret calculation, and a recording unit 190 _1, ..., distributed and recorded in 190 _N (S150). Specifically, another fragment having a value unknown to any device may be created based on the value created by the secret matching device selected in step S130. For example, another fragment (new fragment) of the numerical value generated by the secret matching device 10 _i selected in step S130 for the numerical value P _{π (k)} and the secret matching device 10 _j selected in step S130 are the numerical value P _{π. (K)} Another piece of the numerical value generated for (a new piece) is distributed and recorded. Then, if the sum of the two numerical values is obtained by secret calculation and the fragments are distributed and recorded so that the result is not known, Q _k = P _{π (k)} and all secret matching devices do not know Numeric fragments can be distributed and recorded. In this example, the number of selected secret matching devices is two. However, two or more secret matching devices may be used as in step S130.

Check multiplying means, check multiplying unit ₁₆₀ 1, ..., and a 160 _N. Check multiplying unit ₁₆₀ 1, ..., 160 _{N is, T k = Q k × B} k is a numerical value _{T k} fragment _t k1 of, _..., determined by the _{t kN} secure computing, recording unit ₁₉₀ 1, ..., to 190 _N Distributed and recorded (S160).

Tampering detection means, the falsification detection unit ₁₇₀ 1, ..., and a 170 _N. The tampering detection units 170 ₁ ,..., 170 _N confirm that T _k = S _{π (k)} for _k = _{1 to K} (S 170). In the case of t _kn ≠ s _{π (k) n} , it is terminated abnormally because tampering has occurred. The numerical values _B 1, ..., a _{B K} new number _A 1, ..., and _{A K,} by changing the combination of the secret matching apparatus selected by the selection means, it is possible to repeat this process (S111, S112).

[Other secret calculations]
Here, an example of secret calculation when the secret matching system is configured by three secret matching devices will be described. Further, since it is not necessary to fix the numbers of the secret matching devices 10 ₁ , 10 ₂ , and 10 ₃ , they are expressed as secret matching devices 10 _α , 10 _β , and 10 _γ . That is, (α, β, γ) is any one of (1, 2, 3), (2, 3, 1), and (3, 1, 2).

In the following secret calculation, the fragments of the numerical value A recorded by the secret matching devices 10 _α , 10 _β , 10 _γ in a distributed manner are (a _γα , a _αβ ), (a _αβ , a _βγ ), (a _βγ , a _γα ), The fragments of the numerical value B are (b _γα , b _αβ ), (b _αβ , b _βγ ), (b _βγ , b _γα ), the fragments of the numerical value C are (c _γα , c _αβ ), (c _αβ , c _βγ). ), (C _βγ , c _γα ). In the following description, W is a predetermined integer of 2 or more, and the calculation result is a remainder obtained by dividing by W. In other words, “mod W” is omitted in the calculation formula described below.

Secret sharing of numerical value A (1) Random numbers a _αβ and a _βγ are generated.
₍₂₎ a γα = computes the _A-a αβ -a βγ, fragments _{(a γα, a αβ),} (a αβ, a βγ), and _(a βγ, a γα), the secret matching apparatus 10 _alpha, 10 _β, distributed and recorded in the 10 _γ.

Restoring numbers A (1) Secret matching device 10 _alpha sends a _Ganmaarufa secret matching device 10 _beta, and transmits the a _.alpha..beta secret matching device 10 _gamma. The secret matching device 10 _β transmits a _αβ to the secret matching device 10 _γ , and transmits a _βγ to the secret matching device 10 _α . The secret matching device 10 _γ transmits a _βγ to the secret matching device 10 _α and transmits a _γα to the secret matching device 10 _β .
(2) If the secret matching device 10 _alpha they match and the a _{[beta] [gamma]} received a _{[beta] [gamma]} and from a secret matching apparatus 10 _gamma received from the secret matching device 10 _beta, numerical by calculating _{a αβ + a βγ + a γα} A To restore. The secret matching device 10 _beta they match and the a _Ganmaarufa received a _Ganmaarufa and from a secret matching apparatus 10 _alpha received from the secret matching device 10 _gamma, restores the numeric A by calculating _a αβ + a βγ + a γα . The secret matching device 10 _gamma they match and the a _.alpha..beta received a _.alpha..beta and from a secret matching apparatus 10 _beta received from the secret matching device 10 _alpha, restores the numeric A by calculating _a αβ + a βγ + a γα .

C = A + B Secret Calculation (1) The secret matching device 10 _α calculates and records (c _γα , c _αβ ) = (a _γα + b _γα , a _αβ + b _αβ ), and the secret matching device 10 _β (c _αβ , C _βγ ) = (a _αβ + b _αβ , a _βγ + b _βγ ), and the secret matching device 10 _γ calculates (c _βγ , c _γα ) = (a _βγ + b _βγ , a _γα + b _γα ). And record.

C = A−B secret calculation (1) The secret matching device 10 _α calculates and records (c _γα , c _αβ ) = (a _γα -b _γα , a _αβ -b _αβ ), and the secret matching device 10 _β (C _αβ , c _βγ ) = (a _αβ −b _αβ , a _βγ −b _βγ ) is calculated and recorded, and the secret matching device 10 _γ is (c _βγ , c _γα ) = (a _βγ −b _βγ , _{aγα− bγα} ) is calculated and recorded.

Secret calculation of C = A + S (where S is a known constant)
(1) The secret matching device 10 _α calculates and records (c _γα , c _αβ ) = (a _γα + S, a _αβ ), and the secret matching device 10 _γ has (c _βγ , c _γα ) = (a _βγ , a _γα + S) is calculated and recorded. There is no processing of the secret matching device _10β .

C = AS secret calculation (where S is a known constant)
(1) The secret matching device 10 _α calculates and records (c _γα , c _αβ ) = (a _γα S, a _αβ S), and the secret matching device 10 _β has (c _αβ , c _βγ ) = (a _αβ S, a _βγ S) is calculated and recorded, and the secret matching device 10 _γ calculates and records (c _βγ , c _γα ) = (a _βγ S, a _γα S).

C = AB Secret Calculation (1) The secret matching device 10 _α generates random numbers r ₁ , r ₂ , c _γα , and c _αβ = (a _γα + a _αβ ) (b _γα + b _αβ ) −r ₁ −r _{2 -C} Calculate _γα . Then, the secret matching device 10 _alpha is the secret matching device 10 _beta a _(r 1, c _αβ), and transmits the secret matching device 10 _gamma a _(r 2, c _γα).
(2) The secret matching device 10 _β calculates y = a _αβ b _βγ + a _βγ b _αβ + r ₁ and transmits it to the secret matching device 10 _γ .
(3) the secret matching device 10 _gamma, calculates a _{z = a βγ b γα + a} γα b βγ + r 2, and transmits the secret matching device 10 _alpha.
(4) The secret matching device 10 _β and the secret matching device 10 _γ calculate c _βγ = y + z + a _βγ b _βγ , respectively.
(5) The secret matching device 10 _α records (c _γα , c _αβ ), the secret matching device 10 _β records (c _αβ , c _βγ ), and the secret matching device 10 _γ is (c _βγ , c _γα ). Record.

Secret calculation of negation of bit A (C = 1−A) The secret matching device 10 _α is (c _γα , c _αβ ) = (1−a _γα , −a _αβ mod W).
Is calculated and recorded, and the secret matching device 10 _β is (c _αβ , c _βγ ) = (− a _αβ mod W, −a _βγ mod W)
The secret matching device 10 _γ calculates (c _βγ , c _γα ) = (− a _βγ mod W, 1−a _γα ).
Calculate and record.

Secure computing <br/> secret matching apparatus 10 bit logical product _{(C = A∧B = AB) α} , 10 β, is 10 _gamma, the same processing as secure computing integer multiplication (C = AB mod W) Do.

Secret calculation of logical OR of bits (C = A∨B = A + B−AB) (1) The secret matching devices 10 _α , 10 _β , 10 _γ are the same processing as the secret calculation of integer addition (C = A + B mod W) As a result of C ′ = A + B, the secret matching device 10 _α uses the fragment (c _γα ′, c _αβ ′), the secret matching device 10 _β uses the fragment (c _αβ ′, c _βγ ′), and the secret matching device 10 _γ records the fragment (c _βγ ′, c _γα ′). The secret matching devices 10 _α , 10 _β , 10 _γ perform the same processing as the secret calculation of integer multiplication (C = AB mod W), and as a result of C ″ = AB, the secret matching device 10 _α is a fragment ( c _γα ″, c _αβ ″), the secret matching device 10 _{β records the} fragment (c _αβ ″, c _βγ ″), and the secret matching device 10 _γ records the fragment (c _βγ ″, c _γα ″).
(2) The secret matching devices 10 _α , 10 _β , and 10 _γ perform the same process as the secret calculation (where S is a known constant) of integer multiplication (C = AS mod W) with S = −1. As a result of '''=-C'', the secret matching device 10 _α is a fragment (c _γα ''', c _αβ '''), and the secret matching device 10 _β is a fragment (c _αβ ''', c _βγ ' ″), The secret matching device 10 _γ records the fragments (c _βγ ′ ″, c _γα ′ ″).
(3) The secret matching devices 10 _α , 10 _β , 10 _γ perform the same processing as the secret calculation of integer addition (C = A + B mod W), and as a result of C = C ′ + C ′ ″, the secret matching device 10 _{α records} the fragment (c _γα , c _αβ ), the secret matching device 10 _{β records} the fragment (c _αβ , c _βγ ), and the secret matching device 10 _γ records the fragment (c _βγ , c _γα ).

Secret calculation of exclusive OR of bits (C = A [∨] B = A + B-2AB) (1) Secret matching devices 10 _α , 10 _β , 10 _γ are secrets of integer addition (C = A + B mod W) The same processing as the calculation is performed, and as a result of C ′ = A + B, the secret matching device 10 _α uses the fragment (c _γα ′, c _αβ ′), and the secret matching device 10 _β uses the fragment (c _αβ ′, c _βγ ′). The secret matching device 10 _γ records the fragment (c _βγ ′, c _γα ′). The secret matching devices 10 _α , 10 _β , 10 _γ perform the same processing as the secret calculation of integer multiplication (C = AB mod W), and as a result of C ″ = AB, the secret matching device 10 _α is a fragment ( c _γα ″, c _αβ ″), the secret matching device 10 _{β records the} fragment (c _αβ ″, c _βγ ″), and the secret matching device 10 _γ records the fragment (c _βγ ″, c _γα ″).
(2) The secret matching devices 10 _α , 10 _β , and 10 _γ perform the same processing as the secret calculation of an integer multiplication (C = AS mod W) with S = -2 (where S is a known constant). As a result of C ″ ′ = − 2C ″, the secret matching device 10 _α is a fragment (c _γα ′ ″, c _αβ ′ ″), and the secret matching device 10 _β is a fragment (c _αβ ′ ″, c _βγ '''), the secret matching device 10 _γ records the fragments (c _βγ ''', c _γα ''').
(3) The secret matching devices 10 _α , 10 _β , 10 _γ perform the same processing as the secret calculation of integer addition (C = A + B mod W), and as a result of C = C ′ + C ′ ″, the secret matching device 10 _{α records} the fragment (c _γα , c _αβ ), the secret matching device 10 _{β records} the fragment (c _αβ , c _βγ ), and the secret matching device 10 _γ records the fragment (c _βγ , c _γα ).

Secret calculation of integer conversion of bits A (n), n = 0,..., N−1 Integer conversion of bits A (n) is

Is to seek. Further, the fragments of the bits A (n) recorded by the secret matching devices 10 _α , 10 _β , 10 _γ in a distributed manner are represented as (a (n) _γα , a (n) _αβ ), (a (n) _αβ , a ( n) _βγ ), (a (n) _βγ , a (n) _γα ). The secret matching device 10 _α

The secret matching device 10 _β is calculated and recorded

The secret matching device 10 _γ calculates and records

Calculate and record.

The secret calculation x (n) of the binary conversion of the N-bit integer A shall indicate the lower n + 1th bit of x.
(1) For n = 0 to N−1, the secret matching device 10 _β secretly distributes (a _αβ + a _βγ mod W) (n), and the secret matching devices 10 _α , 10 _β , 10 _γ are (a _αβ + a _βγ mod W) (n) fragments (b (n) _γα , b (n) _αβ ), (b (n) _αβ , b (n) _βγ ), (b (n) _βγ , b (n) _γα ) Are distributed and recorded. For n = 0 to N−1, the secret matching device 10 _γ secretly distributes (a _γα ) (n), and the secret matching devices 10 _α , 10 _β , 10 _γ are fragments of (a _γα ) (n) (( _aγα ) (n) _γα , ( _aγα ) (n) _αβ ), (( _aγα ) (n) _αβ , ( _aγα ) (n) _βγ ), (( _aγα ) (n) _βγ , (a _γα ) (n) _γα ) are dispersed and recorded.
(2) c _γα = 0, and the processes from (2-1) to (2-3) are repeatedly executed for n = 0 to N-1.
(2-1) d _n = b (n) + (a _γα ) (n) _-2b (n) (a _γα ) (n)
And _dn fragments are distributed and recorded.
_{(2-2) a (n) =} d n + c n -2d n c n
The secret calculation is performed and the pieces of a (n) are distributed and recorded.
(2-3) If n <N-1,
_{c n + 1 = b (n} ) (a γα) (n) + d n c n -b (n) (a γα) (n) d n c n
And _{cn + 1} fragments are distributed and recorded.

[Program, recording medium]
The various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.
Further, when the above-described configuration is realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer.
The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.
The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).
In this embodiment, the present apparatus is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

_{10 1, ..., 10 N,} 20 1, ..., 20 N, 30 1, ..., 30 N secret matching device ₁₀₀ 1, ..., _{100 N} secret sharing device 105 selecting unit ₁₁₀ 1, ..., _{110 N} fragment replacement unit 120 _1, ..., 120 _N redispersion unit ₁₃₀ 1, ..., _{130 N} initial information distribution unit 140 _1, ..., 140 _N initial multiplication unit ₁₅₀ 1, ..., _{150 N} confirmation dispersion unit 160 _1, ..., 160 _N confirmation multiplying unit 170 _1, ..., 170 _N falsification detecting unit 190 _1, ..., 190 _N recording unit _{300 1, ..., 300 N,} 400 1, ..., 400 N, 500 1, ..., 500 N matching control unit 310 corresponding vector generation It means 310 _1, ..., 310 _N corresponding vector generation unit 320 corresponds for random permutation unit 320 _1, ..., 320 _N correspond for random replacement unit 330 corresponds for vector Le decoding means 330 _1, ..., 330 _N correspond for vector decoding unit 340 corresponds for rearranging unit 340 _1, ..., 340 _N correspond for rearranging unit 405, 505 Table dividing means _{405 1, ..., 405 N,} 505 1, ..., 505 _N table partitioning unit 450 Vector combining unit 450 ₁ , ..., 450 _N vector combining unit 460 Table combining unit 460 ₁ , ..., 460 _N Table combining unit 470 Table random replacement unit 470 ₁ , ..., 470 _N table random replacement part 480 for sorting vector decoding unit ₄₈₀ 1, ..., 480 _N sorting vector decoding unit 490 sorting unit 490 _1, ..., 490 _N sorting unit 520 for processing a random permutation unit 520 _1, ..., 520 _N processing random permutation unit 530 processing vector decoding unit 530 _1, ..., 530 _N processing vector decoding unit 540 for processing Beauty Sort unit 540 _1, ..., 540 _N processing rearranging unit 550 processing vector corresponding means 550 _1, ..., 550 _N processing vector corresponding unit 560 processing unit 560 _1, ..., 560 _N processor 570 for processing repetitive Means 570 ₁ ,..., 570 _N processing repeater 1000 network

Claims (8)

Predetermined processing is performed on _J tables [X ₁ ],..., [X _J ], each of which is composed of three or more secret matching devices, each consisting of M records and associated with each other. Table _[X 1S] of after, ..., from the _{[X JS],} Table _X 1S to record that is associated becomes the same order, _..., secret sharing corresponding to the table that sorts the records of _{X JS} A secret matching system for calculating a generated table,
M is an integer greater than or equal to 2, J is an integer greater than or equal to 2, i and j are integers greater than or equal to 1 and less than or equal to J, [] is a symbol indicating information in which information in parentheses is secretly distributed for each element, and the predetermined processing is Including a process for rearranging records for at least one table, [h _jS ] is a vector corresponding to the vector [h _j ] after the predetermined process, and [X _jS ] is after the predetermined process A table corresponding to the table [X _j ] of
Each of the three or more secret matching devices is
Generates a vector h _a having M different values to the element, obtains the vector [h _a] each element of the vector h _a by secret sharing, the vector [h _a] a by random permutation vector [h] For j = 1 to J, the correspondence between the elements of the same vector [h _j ] as the vector [h] is maintained even if the predetermined processing is performed on each record of the table [X _j ]. A corresponding vector generating means for matching;
For j = 1 to J, Table _{[X jS]} vector randomly replacing the records in _{[h jS]} and corresponding to remain secure computing maintaining the random substituted table _{[X jR]} vector _{[h jR]} And a corresponding random replacement means for obtaining
Vector _[h 1R], ..., and decodes the _{[h JR],} and corresponding for vector decoding means for obtaining vector _h 1R, _..., a _{h JR,}
Corresponding sorting means for sorting the records in the table [X _jR ] so that h _jR = h _iR for all combinations of j and i;
Secret matching system with The secret matching system according to claim 1,
J = 2, and the predetermined processing includes sorting using some or all elements of each record of the table [X ₁ ] having M records, and for the table [X ₂ ], Is not done,
further,
Each of the three or more secret matching devices is
A table dividing means for dividing the table [X] into the table [X ₁ ] and the table [X ₂ ] so that the table [X ₁ ] includes at least an element used for the predetermined processing;
A vector c composed of M elements having different values is created, each element is secretly distributed to obtain a vector [c], and after the predetermined processing, each element of the vector [c] is represented in a table [X _1S ]. A vector combining means for associating the records so that the correspondence between the records is maintained,
Table joining means that joins the tables [X _1R ] and [X _2R ] after the processing of the corresponding sorting means into a table [X _R ];
Random replacement means for randomly replacing the records in the table [X _R ] by secret calculation to obtain the table [X _RR ];
A vector decoding means for sorting for decoding the vector [c _RR ] after the processing of the table random permutation means for the vector [c] associated with the table [X _1S ], and obtaining the vector c _RR ;
Sorting means for moving each record of the table [X _RR ] so that each element of the vector c _RR matches each element of the vector c;
Secret matching system with The secret matching system according to claim 1,
Wherein the predetermined processing is B-number of process _F 1, ..., consist _{F B,} process _{F b} is a table with the M records _{[X 1], ..., [} X J] process F using some or all of the Processing determined for each _b , B is an integer of 1 or more, b is an integer of 1 to B, D is an integer of 1 to J, d is an integer of 1 to D, b (1),. (D) is a different integer from 1 to D, D ′ is an integer from 1 to
further,
Each of the three or more secret matching devices is
A table dividing means for dividing the table [X] into J pieces to obtain the table [X ₁ ],..., [X _J ];
[X _{b (1)} ],..., [X _{b (D)} ] having elements necessary for the process F _b is selected, and b [d) = b (1),. X _{b (d)} ] and the vector [h _{b (d)} ] are maintained, and the records are randomly replaced by secret calculation, and the randomly replaced table [X _{b (d) R} ] and the vector [h _{b (D) a} random replacement means for processing to obtain _R ];
Processing vector decoding means for decoding vectors [h _{b (1) R} ],..., [H _{b (D) R} ] to obtain vectors h _{b (1) R} ,..., H _{b (D) R} ;
H _{b (i) R} = h _{b (d) R} for all combinations of b (i) and b (d) (where i is 1, ..., D ₎ Reordering means for processing to reorder the records of the table [ _{Xb (d) R} ] to obtain the tables [ _{Xb (1) T} ],..., [ _{Xb (D) T} ];
Vector _{h b (i)} each element of a vector the elements were secret sharing of _{R [h b (i) R} ] Table _{[X b (1) T]} , ..., each record in the _{[X b (D) T]} And a processing vector correspondence means for associating so that the correspondence is maintained even if the processing F _b is performed,
Vector _{[h b (i) R]} table associated _{[X b (1) T]} , ..., performs processing _{F b} against _{[X b (D) T]} , vector after processing _{F b [h b (i) F]} Table after treatment _{F b} associated is _{[X b (1) F]} , ..., determine the _{[X b (D ') F} ], processing _{F b} before the J Table of 0 or more from, 'so that among the pieces of table with one or more, predetermined J' D after treatment F _b extracts the number of vectors and tables, the J 'on the new J updating Processing means for obtaining a vector [h _jbS ] and a table [X _1bS ],..., [X _JbS ] after the process F _b ;
b = either verify B, vector in the case of _{Yes [h} jbS] vector _{[h jS],} Table _{[X 1bS], ..., [} X JbS] Table _[X 1S] a, ..., a _{[X JS]} , No, the vector [h _jbS ] is the vector [h _j ], the table [X _1bS ],..., [X _JbS ] is the table [X ₁ ], ..., [X _J ], and b = 1 to B The processing random replacement means, the processing vector decoding means, the processing rearranging means, the processing vector corresponding means, a processing repeating means for repeating the processing of the processing means,
Secret matching system with Tables [X _1S ],..., [ _C ] after predetermined processing is performed on _J tables [X ₁ ],..., [X _J ] composed of M records and associated with each other. X _JS ] to calculate a secret-distributed table corresponding to a table in which the records of the tables X _1S ,..., X _JS are rearranged so that the associated records are in the same order. A secret matching device in a secret matching system composed of devices,
M is an integer greater than or equal to 2, J is an integer greater than or equal to 2, i and j are integers greater than or equal to 1 and less than or equal to J, [] is a symbol indicating information in which information in parentheses is secretly distributed for each element, and the predetermined processing is Including a process for rearranging records for at least one table, [h _jS ] is a vector corresponding to the vector [h _j ] after the predetermined process, and [X _jS ] is after the predetermined process A table corresponding to the table [X _j ] of
Generates a vector h _a having M different values to the element, obtains the vector [h _a] each element of the vector h _a by secret sharing, the vector [h _a] a by random permutation vector [h] For j = 1 to J, the correspondence between the elements of the same vector [h _j ] as the vector [h] is maintained even if the predetermined processing is performed on each record of the table [X _j ]. A corresponding vector generation unit for associating;
For j = 1 to J, Table _{[X jS]} vector randomly replacing the records in _{[h jS]} and corresponding to remain secure computing maintaining the random substituted table _{[X jR]} vector _{[h jR]} And a corresponding random replacement part for obtaining
Vector _[h 1R], ..., and decodes the _{[h JR],} vector _h 1R, _..., and corresponding for vector decoding unit for determining the _{h JR,}
A corresponding sorting unit for sorting the records in the table [X _jR ] so that h _jR = h _iR for all combinations of j and i;
A secret matching device comprising: Using three or more secret matching devices, predetermined processing is performed on _J tables [X ₁ ],..., [X _J ] each consisting of M records and associated with each other. Table _[X 1S] of after, ..., from the _{[X JS],} Table _X 1S to record that is associated becomes the same order, _..., secret sharing corresponding to the table that sorts the records of _{X JS} A secret matching method for calculating a generated table,
M is an integer greater than or equal to 2, J is an integer greater than or equal to 2, i and j are integers greater than or equal to 1 and less than or equal to J, [] is a symbol indicating information in which information in parentheses is secretly distributed for each element, and the predetermined processing is Including a process for rearranging records for at least one table, [h _jS ] is a vector corresponding to the vector [h _j ] after the predetermined process, and [X _jS ] is after the predetermined process A table corresponding to the table [X _j ] of
Each of the three or more secret matching devices is
Generates a vector h _a having M different values to the element, obtains the vector [h _a] each element of the vector h _a by secret sharing, the vector [h _a] a by random permutation vector [h] For j = 1 to J, the correspondence between the elements of the same vector [h _j ] as the vector [h] is maintained even if the predetermined processing is performed on each record of the table [X _j ]. A corresponding vector generation step to be associated;
For j = 1 to J, Table _{[X jS]} vector randomly replacing the records in _{[h jS]} and corresponding to remain secure computing maintaining the random substituted table _{[X jR]} vector _{[h jR]} A corresponding random replacement step for
Vector _[h 1R], ..., and decodes the _{[h JR],} vector _h 1R, _..., and corresponding for vector decoding step of obtaining a _{h JR,}
A corresponding sorting step for sorting the records in the table [X _jR ] so that h _jR = h _iR for all combinations of j and i;
Perform a secret matching method. The secret matching method according to claim 5,
J = 2, and the predetermined processing includes sorting using some or all elements of each record of the table [X ₁ ] having M records, and for the table [X ₂ ], Is not done,
Each of the three or more secret matching devices is
A table dividing step of dividing the table [X] into the table [X ₁ ] and the table [X ₂ ] so that the table [X ₁ ] includes at least an element used for the predetermined processing;
A vector c composed of M elements having different values is created, each element is secretly distributed to obtain a vector [c], and after the predetermined processing on the table [X ₁ ], the vector [c] A vector combining step for associating each element with each record of the table [X _1S ] so as to maintain correspondence;
A table joining step that joins the tables [X _1R ] and [X _2R ] after the correspondence sorting step into a table [X _R ];
Random replacement between records in table [X _R ] by secret calculation to obtain a table [X _RR ];
A vector decoding step for sorting to decode the vector [c _RR ] after the processing by the table random permutation means of the vector [c] associated with the table [X _1S ] to obtain the vector c _RR ;
A sorting step of moving each record of the table [X _RR ] so that each element of the vector c _RR matches each element of the vector c;
Perform a secret matching method. The secret matching method according to claim 5,
Wherein the predetermined processing is B-number of process _F 1, ..., consist _{F B,} process _{F b} is a table with the M records _{[X 1], ..., [} X J] process F using some or all of the Processing determined for each _b , B is an integer of 1 or more, b is an integer of 1 to B, D is an integer of 1 to J, d is an integer of 1 to D, b (1),. (D) is a different integer from 1 to D, D ′ is an integer from 1 to
Each of the three or more secret matching devices is
A table division step for dividing the table [X] into J pieces to obtain the table [X ₁ ],..., [X _J ];
[X _{b (1)} ],..., [X _{b (D)} ] having elements necessary for the process F _b is selected, and b [d) = b (1),. X _{b (d)} ] and the vector [h _{b (d)} ] are maintained, and the records are randomly replaced by secret calculation, and the randomly replaced table [X _{b (d) R} ] and the vector [h _{b (D) a} random replacement step for processing to obtain _R ];
Decoding vectors [h _{b (1) R} ],..., [H _{b (D) R} ] to obtain vectors h _{b (1) R} ,..., H _{b (D) R} ;
H _{b (i) R} = h _{b (d) R} for all combinations of b (i) and b (d) (where i is 1, ..., D ₎ Reordering records in table [ _{Xb (d) R} ] to obtain a table [ _{Xb (1) T} ],..., [ _{Xb (D) T} ];
Vector _{h b (i)} each element of a vector the elements were secret sharing of _{R [h b (i) R} ] Table _{[X b (1) T]} , ..., each record in the _{[X b (D) T]} And a processing vector corresponding step for associating such that the correspondence is maintained even if the processing F _b is performed,
Vector _{[h b (i) R]} table associated _{[X b (1) T]} , ..., performs processing _{F b} against _{[X b (D) T]} , vector after processing _{F b [h b (i) F]} Table after treatment _{F b} associated is _{[X b (1) F]} , ..., determine the _{[X b (D ') F} ], processing _{F b} before the J Table of 0 or more from, 'so that among the pieces of table with one or more, predetermined J' D after treatment F _b extracts the number of vectors and tables, the J 'on the new J updating Processing steps for _obtaining the vector [h _jbS ] and the table [X _1bS ],..., [X _JbS ] after the processing F _b ;
Check executed b = B, and in the case of Yes vector _{[h JBS]} vector _{[h jS],} Table _{[X 1bS], ..., [} X JbS] Table _[X 1S] a, ..., [X and _JS], vector in the case of _{No [h} jbS] vector _[h j], table _{[X 1bS], ..., [} X JbS] Table _[X 1] a, ..., a _{[X J],} b = 1 A secret matching method that repeats the processing random replacement step, the processing vector decoding step, the processing rearrangement step, the processing vector corresponding step, and the processing step for B to B.   A secret matching program for causing a computer to function as each secret matching device of the secret matching system according to claim 1.

Images